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DETAILED ACTION 
Response to Arguments 

Applicant's arguments filed 3/02/07 have been fully considered but they are not persuasive. 
Applicant argues: 

I. The cited reference (Grimm) does not teach, "in response to a system call, executing a hook 

routine." 

Applicant states that a system call is an operation which transfers control of a processor, such as 
by stopping the current processing in order to request a service provided by an interrupt handler. 
Applicant further argues that executing a hook routine transfers control of a processor. Examiner 
respectfully contends that these arguments render the claim ambiguous and indefinite. According to 
these arguments, the claim language would essentially read, "in response to an operation which transfers 
control of a processor, executing a hook routine which transfers control of a processor at a location of 
said operation which transfers control of a processor." Examiner further argues that applicant's 
arguments are not aligned with applicant's previously submitted specification. Namely, applicant argues 
that a hook routine is a program that works at the transfer of control of a processor. It is unclear whether 
applicant intends to mean that a hook routine works at the transfer of control of a processor or if a hook 
routine actually transfers control of a processor, or both. Further, applicant's specification defines 
hooking as the insertion of an additional routine at a call location. The numerous definitions of what a 
hook routine is, both in applicant's specification and applicant's arguments, make it unclear to examiner 
which definition is actually intended and further makes the difference between a system call and a hook 
routine unclear. For these reasons, applicants argument that Grimm does not disclose or suggest 
responding to a system call is not persuasive. Examiner maintains his original interpretation of the claim 
language and the original rejection of claims 1, 8, and 14 are maintained. 

II. Grimm does not teach "determine a data flow or process requested by said call." 
Examiner respectfully disagrees. It is clear that when a software component is executed by the 

system, a data process is requested. It is further clear that this process is determined because it must be 
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intercepted. Applicant's argument that the hooking routine generates an icon or other graphical 
representation of the current operation is insufficient to overcome the rejection because it is not present in 
the current claim language and thus will not be addressed. Applicants arguments on page 6, 2 nd 
paragraph also pertain to this argument but also are not present in the current claim language. Said 
arguments suggest that certain steps are not taught by the Grimm reference. These steps are not in the 
current claim language. 

III. The present application clearly indicates that it is desirable to hook the lowest level calls 
where possible. 

Examiner assumes that by arguing this point, applicant intends to imply that the Grimm reference 
does not hook the lowest level calls. In accordance to applicant's specification, later versions of 
Windows, which are not based on DOS operating systems, are based on high level system calls. Based 
on examiner's interpretation, it is possible that in some operating systems, it wont be possible to hook the 
lowest level calls. Therefore, it's possible to conclude that high level system calls are hooked. Therefore 
applicant's above argument is not sufficient in overcoming rejections. 

IV. Grimm does not disclose "said information flow diagram illustrates locations of said data at 
stages of a processing activity. 

Examiner respectfully disagrees and contends that the cited "audit record" accomplishes the 

above. 

V. Grimm does not disclose "said system call is selected from the set of: open file, copy file to 
memory, copy memory to register, mathematical functions, write to file, or network or communication 
functions." 

See Grimm, col. 1, lines 58-67 and col. 2, lines 1-16, where it is clear that systems calls are 
monitored in order to provide indication to security administrators of various network or communication 
functions. 

VI. Grimm does not disclose "said system call is a software interrupt of an operating system." 
Applicant defines software interrupts as program generated interrupts that stops the current 

processing in order to request a service provided by an interrupt handler. Examiner contends that the 
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cited reference teaches that the original software component is stopped of its current activity and 
modified. Examiner contends this is analogous to the claimed invention. 

In view of the above arguments, examiner concludes that applicant's arguments are not 
persuasive in overcoming the rejections of the previous office action and thus, said rejections are 
maintained. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form 
the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

Claims 1-14 are rejected under 35 U.S.C. 102(b) as being anticipated by Grimm et al., 
US Patent No. 6,317,868, hereinafter Grimm. 
As per claim 1, 8 and 14 Grimm teaches: 

A method for detecting malicious software within or attacking a computer system, said method comprising 
the steps of: 

[see column 8, lines 56-60] "the present invention readily enables administrators and users of 
computer systems to enforce site specific security policies on software components by applying 
access control, protection domains, and auditing trails." 

in response to a system call, executing a hook routine at a location of said system call to 

[see column 4, lines 23-27] "When software component 11 as originally created needs to be 
loaded for execution by a computer, the present invention provides an introspection service 13 
that intercepts the software component for analysis. " 

(a) determine a data flow or process requested by said call, 

[see above, "original software component 1 1 needed to be loaded for execution. "] 

(b) determine another data flow or process for data related to that of said call, 



Application/Control Number: 10/696,200 
Art Unit: 2136 



Page 5 



[see column 4, lines 65-67 and column 5, lines 1-2] "a component system (i.e., a computer or 
workstation) to which the original software component was directed for execution issues a 
command to load the software component for execution. Instead, the original software 
component is loaded and parsed as indicated in a block 12. " 

[see column 6, lines 17-20] "A call is made to the component operation in a block 100. The 
modified software component invokes enforcement service 19 before the original component 
operation is executed. " 

(c) automatically generate a consolidated information flow diagram showing said data flow or process of 

said call and said other data flow or process, and after steps (a-c), 

[see column 7, lines 27-31] "A positive response to either of decision blocks 140 or 160 causes 
an audit record to be created in a block 142 or in a block 162, respectively. In the event that an 
audit record is necessary, one is created that lists the component operation, its arguments, any 
access control checks, and their results." 

(d) call a routine to perform said data flow or process requested by said call. 

[see column 6, lines 6-9] "After a modified software component has been loaded (i.e., linked and 
activated) by a component system, it executes on the component system in the same manner it 
would have prior to modification by the present invention" 

As per claim 2, Grimm teaches: 

A method as set forth in claim 1 , wherein a user monitors said information flow diagram and compares the 

data flow or process of steps (a) and (b) with a data flow or process expected by said user. 

[see column 6, lines 58-63] "The enforcement service then performs access checks on each 
argument, or object, to be passed to the component operation. Each of these tests is made by 
querying the security policy service with the security identifier of the subject and the security 
identifier of the object to be checked." 



As per claim 3 and 9, Grimm teaches: 

A method as set forth in claim 1, wherein said information flow diagram illustrates locations of said data at 
stages of a processing activity. 

[see above, "A positive response to either of decision blocks 140 or 160 causes an audit record to 

be created in a block 142 or in a block 162, respectively. 7 
The audit trail is can be created at blocks 142 and 162 of the process. 



As per claim 4 and 10, Grimm teaches: 



Application/Control Number: 10/696,200 Page 6 

Art Unit: 2136 

A method as set forth in claim 1 , wherein said system call is selected from the set of: open file, copy file to 
memory, copy memory to register, mathematical functions, write to file, and network or communication 
functions. 

[see column 4, lines 27-34] "Based upon information determined by introspection service 13, a 
security policy service 15 instructs an interposition service 17, which is also included in the 
present invention, how to modify the original software component to adhere to the security 
policies of the site." 

As per claim 5 and 11, Grimm teaches: 

A method as set forth in claim 1, wherein said system call is a software interrupt of an operating system. 

[see column 4, lines 27-34] "Based upon information determined by introspection sen/ice 13, a 
security policy service 15 instructs an interposition service 17, which is also included in the 
present invention, how to modify the original software component to adhere to the security 
policies of the site. " 

As defined by applicant's specification, a software interrupts are program generated interrupts that stop 
the current processing in order to request a service provided by an interrupt handler. Grimm's invention 
teaches that the original software component is stopped of its current activity and modified as seen 
above. 

As per claim 6 and 12, Grimm teaches: 

A method as set forth in claim 1, wherein said system call causes a processor to stop its current activity 
and execute said hook routine. 

[see rejection of claim 1 wherein the software component is intercepted.] 

As per claim 7 and 13, Grimm teaches: 

A method as set forth in claim 1 wherein said system call is made by malicious software. 

[see column 7, lines 63-67] "the security policy service returns the appropriate access mode, and 
enforcement service 19 determines whether the returned access mode includes the specified 
access mode. If the returned access mode includes the specified access mode, then the check is 
successful." 
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Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the mailing date of this final action. 

POINTS OF CONTACT 

Any response to this Office Action should be faxed to (571) 273-8300 or mailed to: 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulaney Street 
Alexandria, VA 22314 

*. Any inquiry concerning this communication or earlier communications from the examiner should 

be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner can normally 

be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 

Nasser Moazzami can be reached on 571-272-4195. The fax phone number for the organization where 

this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be 
obtained from either Private PAIR or Public PAIR. Status information for unpublished 
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applications is available through Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Janiel L Hoang 
5/28/07 



